Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Azure Policy Initiatives - allow Policy exclusion changes

    An initiative contains multiple policies, and need to be able to exclude application of a child policy while maintaining enforcement of the other policies within. Today, it is 'all or nothing' application of the initiative.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  2. Include core counts for VMs for the purpose of cross-joins with other data

    It would be great to have some of other meta data exposed within Resource Graph. More specifically a way to get the number of cores that a VM size has. This would be valuable for queries to show the total number of cores that are used. Right now, we have to export out the results of the Resource Graph and convert the VM SKU to the number of cores outside of Resource Graph. Having it within the Resource Graph would allow us to do joins within our queries to get a single report with all of the information that we…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  3. Create additional policy condition of 'inCaseSensitive' to validate case-senstive match in the Array

    Request to have the policy condition similar to 'in' for an Array to have an additional policy condition of 'inCaseSensitive' (or similar) to validate the value in the array is an exact, case-sensitive match.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Make tag-values immutable (perhaps via Blueprint Locks)

    We are using tags a lot to organize our ressources. That's why we have some hundred values for one key.
    as deployers tend to do mistakes like typos we would be glad if tag-values could be predeployed and afterwards made immutable e.g. by using a blueprint and locking them. Another approach for the source of truth could be a storage table, or database.
    Like that no addition, duplicates, typos etc. could be created.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support conditions on artifact level

    It would be very nice when conditions attribute can be set on a artifact like it could on resources in an ARM template. So it would be possible to deploy or not deploy artifacts based on parameter inputs or outputs from an ARM.
    Example use case:
    Blueprint creates a vNet and an AKS cluster. Then you configure an ingress controller on AKS and after that a new NSG should be deployed which locks down the vNet so only the LB of the Ingress Controller is reachable. This can be done by update the blueprint assignment and specify a parameter like…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  6. Resource Changes: Track resource move

    Create a change log when a resource is moved to a different resource group and maintain its history from before it moved

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  7. Warn when results are truncated in Search-AzGraph

    Currently, when a you run a query via Search-AzGraph but don't specify the -First parameter, the results are limited to the first 100 items (see https://github.com/Azure/azure-powershell/blob/master/src/ResourceGraph/ResourceGraph/Cmdlets/SearchAzureRmGraph.cs for source code details).

    Whilst the reasoning behind limiting the results is fully understood (a select everything across all subscriptions is obviously going to return a large result set!) it should at very least result in a warning when results are truncated.

    As a secondary but related suggestion, I would also like to see the same warning be surfaced when the -First parameter is supplied but the result set is larger than the chosen…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  8. Blueprint Parameters Validation

    Currently the only Blueprint Parameter validation properties that are accepted is "defaultValue" and "allowedValues". Please add the following that are supported by ARM Template Parameters and would provide a much better experience for an Blueprint Assigner:


    • minValue

    • maxValue

    • minLength

    • maxLength

    More information about the above properties can be found here: https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates#parameters

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ability to query for custom role definitions in Azure Resource Graph

    Please add support for listing all custom role definitions

    Resource Type: Microsoft.Authorization/roleDefinitions

    https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roledefinitions

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  10. subscription transfer process

    Subscription Transfer process
    I lost my blueprints after the subscription transfer.
    I understand RBaC perms are lost but still don't understand why my Blueprints had to disappear as well.
    This has happened twice.
    Microsoft advised that resources will remain the same but that's not the case.
    Are Blueprints assigned to a resource group and subscription different?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  11. Generate Alert when there is an audit on deployment.

    I've got a customer who wants to be informed via mail when a VM or a service is deployed outside the EU due to GDPR requirements.

    He wants to deploy those compontents in a separate resource group, where there is the allowed locations policy is attached but with the audit action instead of the deny action

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  12. Ability to query for DNS Zones CNAME type in Azure Resource Graph

    I am able to filter out resources by provider (e.g., 'Microsoft.Network') and higher-level types (e.g., 'Microsoft.Network/dnszones'). However, not all resource types are supported by Resource Graph. For example, DNS Zone record types aren't supported. I would like to get a response for a query like this one:

    az graph query -q "where type =~ 'microsoft.network/dnszones/cname'"

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  13. Azure Blueprints sample for Service Fabric Cluster

    It would be great to have a sample Azure Blueprints for stamping out different Service Fabric clusters. Unfortunately I haven't managed to find a sample online and tried to create one manually but failed as I am totally new to Azure and there are way too many pieces required for a putting together an Azure Blueprints for a secured multi-node type Service Fabric cluster.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  14. Allow policies to be assigned to Blueprints like they can Managment Groups and subscriptions

    Azure Policies allow for assignments when viewing the policy into Management Groups, Subscriptions, and Resource Groups. Would like to be able to add Blueprints to that list

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  15. GitOps

    How does this work with GitOps?

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  16. Prevent Owner role unless MFA enabled

    We have a requirement to ensure all Owners have MFA enabled, using Conditional access policies we can only assign Global Admins not Owners, so would appreciate a way within a management group to ensure the "owner" of the subscription has MFA enabled, which we could assign by policy instead of audit, adding enforce MFA for Owner

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  17. Option to delete non-blueprint RBAC Assignment when blueprint is assigned

    In a case where membership needed to be strictly controlled, the Blueprint configuration should offer an "Overwrite" option. This would remove any accounts manually added and block any accounts from being manually added.

    Overwrite Scenario

    Config
    • Account Admin role on a Subscription 1 has Amber and Brian.

    • Blueprint defines the members of the Account Admin role as Amber and Chuck and is assigned to Management Group A.

    Result
    • When Subscription 1 is moved to Management Group A the members of the Account Admin role is updated to Amber and Chuck

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  18. Parameters Concatenation

    I have a naming policy for resource type and i am naming it at a category level. I.e
    If Resource is of type CDN or Network then name should be CLIENT1-DEV-INT-<nameofresource>
    else If the Resource is of type AppFunction, AppService then name should be CLIENT1-DEV-WEB-<nameofresource>
    etc.

    So this Policy will be massive and having multiple clients I need to introduce a parameter to cover for first bit to be same i.e instead of hard coding CLIENT1-DEV I use parameter and make policy general and use CONCATENATION in the LIKE portion of policy like below.

    {
    "policyRule": {

    &quot;if&quot;: {
    
    &quot;not&quot;:
    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  19. Azure Policy - Compliance report should ignore non-taggable items

    Currently the compliance report looks at all resources for my tagging policy. However, some resources cannot be tagged (App Insights alerts come to mind or Databricks vnets). this messes with my ability to quickly check policy.

    Suggestion:

    Either ignore these resources, or add "Needs Review" if these resources are detected. Honestly ignoring the resources more desirable.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  20. Azure Resource Graph - Limitations in the Result Set

    Query results return only 1000 records

    Resource Graph limits any query to returning only 1000 records. This can be extended to the exact output values or the commands like First and Skip should be added with Kusto as well to exactly see the data.

    Also we are not able to use the MAP Visualization, as none of the Data set is matching with it. Can you add a demo for it as well.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base